So, it really depends on your personal threat model.
For background: the biometric data doesn’t leave the device, it uses an on-device recognition system to either unlock the device, or to gain access to a hardware security module that uses very strong cryptography for authentication.
Most people aren’t defending against an attacker who has access to them and their device at the same time, they’re defending against someone who has either the device or neither.
The hardware security module effectively eliminates the remote attacker when used with either biometric or PIN.
For the stolen or lost phone attack, biometric is slightly more secure, but it’s moot because of the pin existing for fallback.
The biggest security advantage the biometrics have to offer is that they’re very hard to forget, and very easy to use.
Ease of use means more people are likely to adopt the security features using that hardware security module provides, and that’s what’s really dialing up the security.
Passwords are most people’s biggest vulnerability.
I’ve read all this before. If you believe the people who designed and implemented the device and its myriad layers of firmware and software were 1. All acting in good faith and 2. Knew WTF they were doing… then: yes, sure.
Unfortunately that’s way too many strangers for me. Hundreds of people design and code these things. Meanwhile, every week there’s a clever new breach somewhere.
While I do respect that viewpoint, there’s a lot more independent scrutiny of the hardware modules than there are around the parts that would handle any other authentication mechanism you might use.
Just because something isn’t perfect doesn’t mean we should keep using the less good thing that it replaces.
Use the PIN if that’s more your cup of tea, just so long as you move away from passwords, since it’s the HSM that’s the protection, not the biometrics. Those are just to make it easier than passwords.
So, it really depends on your personal threat model.
For background: the biometric data doesn’t leave the device, it uses an on-device recognition system to either unlock the device, or to gain access to a hardware security module that uses very strong cryptography for authentication.
Most people aren’t defending against an attacker who has access to them and their device at the same time, they’re defending against someone who has either the device or neither.
The hardware security module effectively eliminates the remote attacker when used with either biometric or PIN.
For the stolen or lost phone attack, biometric is slightly more secure, but it’s moot because of the pin existing for fallback.
The biggest security advantage the biometrics have to offer is that they’re very hard to forget, and very easy to use.
Ease of use means more people are likely to adopt the security features using that hardware security module provides, and that’s what’s really dialing up the security.
Passwords are most people’s biggest vulnerability.
I’ve read all this before. If you believe the people who designed and implemented the device and its myriad layers of firmware and software were 1. All acting in good faith and 2. Knew WTF they were doing… then: yes, sure.
Unfortunately that’s way too many strangers for me. Hundreds of people design and code these things. Meanwhile, every week there’s a clever new breach somewhere.
While I do respect that viewpoint, there’s a lot more independent scrutiny of the hardware modules than there are around the parts that would handle any other authentication mechanism you might use.
Pixel phone example iPhone example
Just because something isn’t perfect doesn’t mean we should keep using the less good thing that it replaces.
Use the PIN if that’s more your cup of tea, just so long as you move away from passwords, since it’s the HSM that’s the protection, not the biometrics. Those are just to make it easier than passwords.
You can change PINs and passwords, but you cannot change your biometric data.
It’s about as smart as using your SSN as your username.
The point being that most people do not need to ever change their biometric data, because it isn’t used for remote authentication.
It’s about picking the right threat model, and for most people anything that gets them using the HSM is an improvement to their security.
If you’re that afraid if the people who build phones, why are you ok with using any device that can access the internet?
I like how being cautious with my biometric data is beung framed as irrational fear and paranoia. As if ID theft never happens.